The present invention relates to mechanisms for protecting electronic documents (files) against unauthorized use, and, in particular, against unauthorized copying or printing.
An electronic document is an electronic information container. The information stored in the container may include, but is not limited to, characters, graphic images, moving pictures, sound, and animation.
It is quite difficult to protect against unauthorized leaks of information. Photocopy machines, facsimiles, and other technologies permit information that has been fixed on a paper medium to be easily copied and distributed. In the case of electronically stored information, computers can instantly construct a virtually unlimited number of identical copies of electronically stored information.
One object of the invention is to designate one or more people as authorized distributors. A further object of the invention is to designate one or more people as authorized customers with the following constraints:
i) The authorized distributor may designate itself or others as authorized customers. PA1 ii) The authorized distributors may distribute an electronic document to one or more authorized customers. PA1 iii) For each electronic document distributed to each authorized customer, the authorized distributor may assign one or more document handling rules. Example document handling rules are permitting read-only access or permitting read and print access. PA1 iv) Authorized customers may not distribute documents unless they are also authorized distributors. It is possible that zero or more authorized customers are also authorized distributors. PA1 The authorized customers should not be prohibited from making backups. PA1 Only standard hardware and software assumptions should be made. For example, although hardware dongles provide copy protection services, many vendors do not wish to limit the sale of the software to the collection of customers who own or are willing to install a dongle. PA1 When a customer legitimately obtains a document, the customer should be able to use the document on any machine regardless of ownership. The customer should optionally be able to authorize simultaneous usage of the document in multiple machines. PA1 1. After completing the correctly authorized scenario of FIG. 2, an authorized customer 209 obtains an encrypted file 203. The file 203 is encrypted using the symmetric key K. PA1 2. The encrypted symmetric key 208 is provided to the customer 209. PA1 3. The customer's decryption mechanism, e.g., smart card, performs the decryption operation. The customer 209 saves the plain text symmetric key K. PA1 4. If the customer 209 wishes to perform an unauthorized copy of the file, the customer 209 passes as shown at 314 the encrypted file 313 (copied from the encrypted file 203), the encrypted symmetric key 311 (copied from the encrypted symmetric key 208), and the plain text symmetric key K 312 to an authorized customer 315. PA1 5. The unauthorized customer's Viewer program which uses the file, provided the encrypted symmetric key 311 to the unauthorized customer 315 (the Viewer program does not know that the customer 315 is not authorized). PA1 6. The unauthorized customer's decryption mechanism fakes the decryption operation because the unauthorized customer 315 does not have the customer's private key. Instead, the unauthorized customer's decryption mechanism returns the plain text symmetric key 312 obtained in step 4. Since this is the correct symmetric key, the Viewer believes that the unauthorized customer knows how to perform the required decryption operation. As a result, the Viewer permits the unauthorized customer 315 to view or use the file. PA1 A .rarw.B: h(r),B,P.sub.A (r,B) PA1 A.fwdarw.B: r PA1 A.fwdarw.B denotes that A sends a message to B; and A.rarw.B denotes that B sends a message to A. PA1 r denotes a random number used as a nonce PA1 h(r) is a message digest of the nonce PA1 P.sub.A (r,B) is encryption of the nonce and B's identity using A's public keying material PA1 a) zero-knowledge-proofs, where it is provable, that B or any observer of the proof learns nothing from the proof, except the fact that A possesses the private keying material. PA1 b) witness-challenge-response-proofs which comprise the following 4 elements in a sequence: PA1 1. The prover claiming to be A selects a random element from a pre-defined set as its secret commitment (providing hidden randomization) and from this, computes an associated (public) witness. This provides initial randomness for variation from other protocol runs and defines a set of questions all of which the prover claims to be able to answer thereby a priori constraining his or her forthcoming response. Only the legitimate party A, with knowledge of A's secret, is truly capable of answering all of the questions, and the answer to any one of these questions provides no information about A's long-term secret. PA1 2. B's subsequent challenge selects one of these questions. PA1 3. A provides its response. PA1 4. B checks the response for correctness. PA1 a probabilistic proof scheme, PA1 an asymmetric confidentiality scheme, or PA1 a digital signature scheme.
Consider the situation described in FIG. 1. In FIG. 1, an authorized distributor 101 sends information 106 (electronic documents) to each of several authorized customers 102, 103, 104. The distributor 101 sends the information 106 in encrypted form to ensure that no unauthorized intruder can view the information while the information is in transit. Many of the customers, e.g., an authorized first customer 102 and an authorized second customer 103 use the documents 106 as intended. That is, the customers who use the document correctly do not forward the documents to others. However, some customers, e.g., an authorized third customer 104, may attempt to perform actions beyond his or her authorization. That is, the third customer 104 may attempt to forward the documents 106 to one or more unauthorized customers 105. The present invention prohibits the third customer 104 from forwarding the documents 106 to any unauthorized customer 105 unless the authorized third customer 104 is also an authorized distributor.
Some example requirements that a security mechanism may potentially satisfy are listed below:
The distributor should be permitted to distribute an identical version of the document software to all authorized customers. This requirement permits the documents to be distributed through normal channels such as, for example, CD-ROMs, floppy disks, or network bulletin boards.
It should be excessively difficult and/or computationally infeasible for a potential pirate to circumvent the security mechanism.
The security mechanism should not disclose the customer's private keying material to the distributor, any program distributed or produced by the distributor, or any potential Trojan horse program. Though the primary functionality is to protect the document vendor and distributor, one must not do so at the expense of the customer.
The present invention complies with the example requirements by providing a special copy protected program called the Viewer program that displays the contents of the protected document (file). The term "display" is used liberally in order to include showing, audio-broadcasting, or printing. The present invention's security mechanism ensures that one cannot view the protected file without using the Viewer program. Furthermore, the Viewer program prohibits viewing by anyone other than an authorized user.
The present invention can be used for any file which is used via a program, independent from the content of the file.
The protection of such files is important in very different scenarios, some of them are explained below:
Micro Publishers:
A micro publisher is a home hobbyist or small business who is willing to experiment with Internet publishing. An example micro publisher is a photographer who takes pictures at a sporting event and then sells the pictures to a newspaper.
Legacy Electronic Publishers:
The Legacy electronic publishers publish electronic documents. An example legacy electronic publisher is a major encyclopedia company.
Copyright Enforcers and Direct Marketers:
Some organizations are more interested in preventing copyright infringement rather than generating revenue.
Advertisers:
Advertisers are filling to pay advertising fees when they are sure that the advertisement is, in fact, embedded in the file and cannot be changed without authorization.
Document Labelers:
A document labeler inserts a label on a document, e.g., company confidential. The document labeler also inserts a document handling rule. For example, no non-company employee is an authorized customer of any company confidential document.
In "Cryptolope Container Technology," by International Business Machines, Mar. 3, 1997 (available on World Wide Web at http://www. cryptolope.ibm.com/white.htm), an application layer cryptographic encapsulation mechanism is described.
The basic mechanism is as illustrated in FIG. 2. The mechanism initiates when a vendor 201 generates a file (e.g. a document with the content of a newspaper, magazine, music, etc.) and encrypts the file using a symmetric key K. The vendor encrypts the symmetric key using the vendor's public key 204. The vendor sends as shown at 202 both the encrypted document 203 and the encrypted symmetric key 204 to a customer 209. Subsequently, the customer 209 and the vendor 201 coordinate payment information. During this coordination, the customer 209 sends a purchase request which includes the encrypted symmetric key 205 (copied from the encrypted symmetric key 204) and a certificate containing the customer's public key 207. Next, the vendor 201 decrypts the symmetric key using the vendor's private key and then re-encrypts the symmetric key using the customer's public key 207 (obtained from the customer's certificate). The vendor 201 sends as shown at 210 the re-encrypted symmetric key 208 back to the customer 209. Using the customer's private key, the customer 209 decrypts the original file. All of the customer's functionality described above is performed by a special Viewer program.
In the above mentioned mechanism, the customer 209 must perform an asymmetric decryption operation to obtain a symmetric file encryption key K. The intent is that the customer 209 must have his or her asymmetric private key in order to perform the asymmetric decryption operation.
However, the above mentioned mechanism is vulnerable to attack, e.g. by the following attack scenario as illustrated in FIG. 3:
As can be seen from this attack, the known mechanism does not prove that the customer 315 has the correct asymmetric private key. As a result, this mechanism does not protect against unauthorized document redistribution.
An overview on asymmetric cryptography, for example on the RSA scheme, and probabilistic encryption, for example the Blum-Goldwasser probabilistic public-key encryption scheme can be found in Menezes et al. supra.
An overview over different probabilistic proof schemes, for example zero knowledge proof schemes (e.g. Feige-Fiat-Shamir scheme, Guillou-Quisquater scheme, Blum-Feldmann-Micali scheme, Brassard scheme, Crepau scheme, etc.) or witness hiding proof schemes (e.g. Feige-Shamir scheme, etc.) can be found in Menezes et al. supra.
An overview of digital signature schemes (e.g. Rivest-Shamir-Adleman, etc.,) and a formal mathematical definition of digital signatures can be found in Menezes et al. supra.
An example of a message digest function (otherwise known as a one-way hash function) is MDS (see R. Rivest, "The MD5 Message-Digest Algorithm, RFC 1321, April 1992). It is computationally infeasible or very difficult to compute the inverse of a message digest.
In P. Fenstermacher al., "Cryptographic Randomness From Air Turbulence in Disk Drives," Advances in Cryptology: Crypto '94, Springer Verlag, 1994, pp. 114-120, cryptographic randomness from air turbulence in disk drives is described.
The Chi-Square Test, the Kolmogorov-Smirnov Test, and the Serial Correlation Test are described in D. Knuth, "The Art of Computer Programming," Vol. 2, Seminumerical Algorithms, Reading, Mass.: Addison-Wesley Publishing Co., 1981, pp. 38-73.
An object of the present invention is to provide an improved mechanism to protect a file that is able to satisfy most, if not all, of the example requirements described above.
An asymmetric cryptographic mechanism includes public keying material and corresponding private keying material. It is computationally infeasible to compute the private keying material when given no more information other than the corresponding public keying material. In the present invention, asymmetric cryptography is used in interactions between two parties, A and B. A proves to B that A has access to private keying material, and B validates the proof. A does not disclose the private keying material to B.
Some important asymmetric cryptographic algorithms that may be used in the present invention are listed below.
Asymmetric Confidentiality Scheme:
An asymmetric confidentiality protocol involves two parties, A and B. A possesses private keying material and B has no access to A's private keying material without disclosing the private keying material itself. At the beginning, A and B have no shared secret. During the method, a shared secret becomes known to A and B.
An example of an asymmetric confidentiality proof is public key encryption. As illustrated in the asymmetric confidentiality protocol below, A proves to B that A has access to the private keying material.
The protocol scheme described above uses the following notation:
Here, B generates a nonce and encrypts the nonce (together with B's identity) using A's public keying material, i.e., P.sub.A (r,B).
Additionally B computes the message digest of the nonce, h(r).
B sends the information described above, along with a value representing B's identity, to A.
Next, A uses its private keying material to decrypt P.sub.A (r,B) obtaining r,B. A computes the message digest of the decrypted random value, r, and compares the result against h(r) obtained from B. At this point, the random number is a shared secret known by both A and B.
In order to complete the protocol, A returns the random number to B to demonstrate that A knows the secret. Of course, once A provides the disclosure, the secrecy of the random number is lost. B validates A's proof by checking for equality between A's returned secret against the one that B originally generated.
A second example of an asymmetric confidentiality protocol is a probabilistic encryption scheme, e.g. the Blum-Goldwasser probabilistic public key encryption scheme. Here, the encryption or decryption mechanism uses random numbers or other probabilistic means.
Digital Signature Scheme:
A digital signature is an electronic analog of a handwritten signature. A digital signature proof involves at least two parties, A and B. After posting his or her public keying material to a public location, A encrypts a message using the private keying material. Since anyone may access the public keying material, there is no message secrecy. However, since A is the only customer with access to the private keying material, no one else can "forge A's signature" by performing the encryption. Anyone may validate A's signature using the public keying material.
Probabilistic Proof Scheme
A probabilistic proof involves at least two parties, A and B. A possesses private keying material, and B has no access to A's private keying material without disclosing the private keying material itself. A's proof is probabilistic rather than absolute because B forces A to demonstrate that A probably has access to the private keying material by supplying evidence.
There are two variants of probabilistic proofs:
1. A sends information which is not constant for all invocations of the proof to B. This information is called the witness. For many protocols, the witness is generated randomly and should never be repeated. PA2 2. B sends information to A called the challenge. For many protocols, the challenge is generated randomly. PA2 3. A sends a response to B. PA2 4. B verifies whether A indeed knows the private keying material by executing computations involving the witness, the challenge, and the response.
In fact, many zero-knowledge-proofs are witness-challenge-response-proofs.
Zero knowledge proof schemes are known, e.g. the Feige-Fiat-Shamir as taught in Menezes et al. supra scheme or the Guillou-Quisquater scheme also taught in A. Menezes et al., Handbook of Applied Cryptography, CRC Press, Inc. 1997, pp. 22-23, 224-233, 250-259, 308-311, 405-424, 433-438, 572-577, but also the Mono-directional zero knowledge proof schemes, e.g. the Blum-Feldmann-Macali scheme, or Statistical zero knowledge proof schemes, e.g. the Brassard scheme or the Crepau scheme, etc. Witness hiding proof schemes are also known, e.g. the Feiae-Shamir scheme, etc.
One should not confuse probabilistic public-key encryption (for the purpose of providing confidentiality) with probabilistic proofs. In the first case, probabilistic means are used to execute the encryption algorithm. In the second case, probabilistic means are used to define a degree of assurance for a service such as identification.
In the following, one possible general structure of a zero-knowledge protocol is described Menezes et al. supra. For illustrative purposes, this general structure is also of the witness-challenge-response-proof format.
The protocol involves two parties, A and B.
The protocol may be iterated to improve the bound limiting the probability of successful cheating.
A digital watermark scheme discourages unauthorized document distribution by embedding in a document a unique identification symbol.
A chosen-plain text attack is one where the adversary chooses plain text and is then given corresponding ciphertext. Subsequently, the adversary uses any information deduced to recover plain text corresponding to previously unseen ciphertext (see Menezes et al., supra).
An adaptive chosen-plain text attack is a chosen-plain text attack wherein the choice of plain text may depend on the ciphertext received from previous results (see Menezes et al. supra).
A zero knowledge proof protocol resists both chosen-plain text attacks and adaptive chosen-plain text attacks.
In all asymmetric cryptographic schemes, each customer may post his or her public keying material to a publicly accessed directory without compromising the corresponding private keying material. The customer usually should guard his or her private keying material as a close secret; otherwise, the cryptographic system may not guarantee correctness (secrecy). The best known mechanism for protecting one's private keying material is through the use of a smart card. In this case, the smart card is a device with no interface for releasing private keying material (in a non-cryptographically protected form).
Although smart cards provide the best protection, social factors of electronic commerce may provide a role in ensuring private keying material protection. One of the significant difficulties associated with asymmetric encryption services is authentication. For example, if A posts his or her public keying material to a public directory, then how does B assess validity? That is, a pirate may attempt to masquerade as A but post the pirate's keying material. Some commercial organizations provide solutions to this problem by acting as Certification Authorities (CA). For (possibly) a fee, the CA solicits identifying material from potential customers such as a driver's license or passport. After validating the identifying material, the CA posts the customer's public keying material to a public directory, and the CA signs a certificate (using a digital signature with the CA's private key) that holds the customer's public keying material. Standardized services, for example X.500, may be adopted to help facilitate the use of directories that contain public keying material.
Once a customer posts his or her public keying material to the CA, the customer will probably make an extensive effort to protect his or her private keying material. For some asymmetric keys, if the customer's private keying material were to become unknowingly compromised, then the customer would have cause for significant concern. For example, in the case of RSA keys that can also be used for digital signatures, networked vendors may potentially authorize electronic commerce transactions.
An object of the present invention is to provide an improved mechanism that is able to satisfy most, if not all, of the example requirements described above.